undefined | Better HN

0 pointsoftenwrong9mo ago0 comments

The operators of Maven Central deserve a lot of credit for their good stewardship. Unlike the NPM registry, Maven Central does not permit anyone to unpublish packages. Unlike the NPM registry, Maven Central requires verification of domain or forge account ownership to claim a namespace. These are good practices, and anyone seeking to create a central package registry would do well to at least consider this. Maven Central is currently operated by SonaType, but it has changed hands a few times. This article covers its history: https://www.sonatype.com/blog/the-history-of-maven-central-a...

Additionally, it is standard practice in the Java world, which is more "corporate" or "enterprise-y", for better and for worse, to have organisations operate their own internal package registries / mirrors. Even if you unpublished a major package from Maven Central, many organisations would be completely unaffected because they retain archived copies of all of their dependencies.

0 comments

lmm9mo ago

All that is true, but I think the fact that Maven has supported multiple repos and proxy repos for decades is a significant factor. SonaType deserve credit for being good stewards, but it's also relevant that they have had real competition (e.g. jFrog ran a similar public repository until recently) and if they did ever behave badly then for many organisations it would be a 1-line change in their Maven config to switch, which creates rather different dynamics compared to NP, PyPi etc..

j / k navigate · click thread line to collapse

0 pointsoftenwrong9mo ago0 comments

0 comments

lmm9mo ago

j / k navigate · click thread line to collapse